Matthew Bunn - A Worst Practices Guide to Insider Threats: Lessons From Past Mistakes

Matthew Bunn is professor of practice and coprincipal investigator of the Project on Managing the Atom at the Belfer Center for Science and International Affairs, Harvard University.

Andreas Hoelstad Dhli is an Oslo-based independent researcher.

Kathryn M. Glynn is a consultant at IBM Global Business Services.

Thomas Hegghammer is the director of terrorism research at the Norwegian Defence Research Establishment (FFI).

Austin Long is an assistant professor at the School of International and Public Affairs and a member of the Arnold A. Saltzman Institute of War and Peace Studies at Columbia University.

Scott D. Sagan is the Caroline S. G. Munro Professor of Political Science and a senior fellow at the Center for International Security and Cooperation, Freeman Spogli Institute for International Studies at Stanford University.

Ronald Schouten is the director of the Law & Psychiatry Service of Massachusetts General Hospital and associate professor of psychiatry at Harvard Medical School.

Jessica Stern is a fellow at the FXB Center for Health and Human Rights at the Harvard School of Public Health and a lecturer in government at Harvard University.

Amy B. Zegart is the codirector of the Center for International Security and Cooperation; a senior fellow, by courtesy, at the Freeman Spogli Institute for International Studies; Davies Family Senior Fellow at the Hoover Institution; and professor, by courtesy, of political science at Stanford University.

This book would not have been possible without the assistance of many people and organizations. It has its origins in two workshops sponsored by the Global Nuclear Future project of the American Academy of Arts and Sciences, the first at Stanford University in 2011 and the second at the American Academy in Cambridge, Massachusetts, in 2014. We also thank the World Institute for Nuclear Security (WINS), which invited us to present our ideas at workshops in Vienna and Johannesburg. We are grateful to all those who participated in these workshops for contributing greatly to our thinking on the problem of insider threats. We have also given seminars on our work at the Los Alamos National Laboratory and the Sandia National Laboratory, and thank the participants in these meetings for sharing insights about the complex challenges we face when dealing with insider threats.

An earlier version of the concluding chapter, our Worst Practices Guide to Insider Threats, was published in 2013 as an occasional paper by the American Academy of Arts and Sciences. Our home institutions, the Managing the Atom (MTA) project at the Harvard Kennedy Schools Belfer Center for Science and International Affairs (BCSIA) and the Center for International Security and Cooperation (CISAC) at Stanford Universitys Freeman Spogli Institute for International Studies (FSI), both generously supported our efforts to research the insider problem. We thank our research assistantsNickolas Roth at Harvard and Anna Coll, Maral Mirshahi, and Reid Pauly at Stanfordfor their superb work in helping us with this project. We are especially grateful to Francesca Giovannini, the program director for Global Security and International Affairs at the American Academy of Arts and Sciences. The Academys work in this area has been generously supported by the Carnegie Corporation of New York, the John D. and Catherine T. MacArthur Foundation, the Hewlett Foundation, the Flora Family Foundation, and the Alfred P. Sloan Foundation. Finally, we owe a great debt to the authors of the individual chapters in this volume, who put in enormous efforts to provide their insights about and analyses of this particularly vexing set of dangers.

Inside the Insider Threat

Matthew Bunn and Scott D. Sagan

Insider threats may be rare within most professional and competent organizations, and especially rare inside organizations that are responsible for protecting the national security of a country and its critical infrastructure. But not all national security organizations are as highly professional and competent as they claim to be, and devastating insider threats have sometimes occurred even within the best of the organizations that have sought to minimize the dangers. Rare does not mean nonexistent.

In this book, readers will encounter many rare but devastating cases of insider threats from around the globe: disloyal personal security guards murdering a prime minister in India; individual soldiers deliberately opening fire on their own military comrades or allied forces in the United States and Afghanistan; employees engaging in sabotage attacks on nuclear reactors in South Africa and Belgium; and a microbiologist working inside a sensitive U.S. biodefense facility and sending deadly anthrax spores through the mail in order to kill reporters and elected officials and terrorize the public. Nuclear materials, because of their dangerous radioactivity and their potential to be used in weapons, are usually considered to be the crown jewels of physical protection. However, insiders pose a serious threat to these materials as well: virtually all the cases of nuclear theft in which the circumstances are known were perpetrated either by insiders or with the help of insiders; also, given that many unsolved cases of nuclear theft involve bulk material stolen without anyone else in the organization being aware that the material was missing, there is every reason to believe that these thefts were also perpetrated by insiders who understood weaknesses in security systems and could cover their tracks afterward. Insiders have also perpetrated a large number of thefts from heavily guarded nonnuclear facilities.

It would be reassuring if the intelligence agencies and the armed services of the United States were immune to insider threats, but that is clearly not the case. Indeed, virtually all of the major U.S. intelligence agencies and branches of the military have also experienced an extremely damaging insider incident. Even a partial list is stunning:

The U.S. military services, intelligence agencies, secret service details, and nuclear security guard forces are supposed to be the best of the best; they are designed to be highly effective national security organizations. So it is significant that even they have suffered serious insider incidents. If the most elite organizations in the nation have had many serious problems in recognizing and dealing with insider threats, doesnt this suggest that other organizations will have even more serious difficulties?